The Conservative Party website is hosting a survey, but I question whether it complies with data protection and associated laws.

The first principle of the Data Protection Act 1998 (DPA) requires that any processing of personal data be fair (and lawful). If an organisation is collecting data from individuals then the person from whom it is obtained must be told the identity of the data controller, and the purpose or purposes for which the data are intended to be processed. These legal provisions (Schedule 1, DPA) are the source of the privacy notices (sometimes called “fair processing notices”) with which we are all familiar when we, for instance, make purchases, or submit forms, or, indeed, complete online surveys. As the Information Commissioner himself says, in the introduction to the ICO Privacy Notices Code of Practice

As a minimum, a privacy notice should tell people who you are, what you are going to do with their information and who it will be shared with

the Code goes on to stress that

the requirement…is strongest…where the information is sensitive

One of the things that makes personal data “sensitive” is if it consists of information as to a person’s political opinions (section 2(b), DPA) – the reasons for this barely need spelling out, but I would just note that history tells us much about the potential for abuse of information about the political affiliations or inclinations of individuals.

With all this in mind it is concerning to note that the website of the Conservative Party invites people to complete and submit an online survey, which includes, among other things, questions about the political opinions of those completing it, but whose privacy notice consists merely of

By entering your email address you agree to receive communications from us, from which you can opt-out using the “unsubscribe” link in each email we send. We will not share your details with anyone outside the Conservative Party

This is inadequate in a number of ways, but primarily because it gives no indication whatsoever what the purposes for which the (sensitive) data are to be processed. One assumes, noting the reference to receiving emails in the future, that it is for the purposes of marketing (and the ICO has made clear that political parties do engage in marketing). Failure to gather data fairly will mean that such future marketing use would also be in default breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Searching the rest of the website I do see that there is a generic privacy policy, which does refer to “online polls and surveys”, but that merely says that

in addition to your answers, we collect your Internet Protocol (IP) address…[to] to help validate the results and help prevent multiple entries from individuals

It is difficult to imagine that the people responsible for this survey have had regard to the ICO’s invaluable guidance for political parties for campaigning or promotional purposes, which advises, for instance that parties should be

transparent about your use of the individual’s information

In the field of market research there is a practice known as “sugging” which the Association for Qualitative Research describes thus

Sugging (selling under the guise of market research) …[occurs] when organisations building databases, or generating sales leads, claim to be conducting market research

One does wonder if that is what is going on here, but in the absence of an adequate privacy notice, it is not possible to tell.

UPDATE: 23.03.14

It looks like they’ve amended the survey now, with a link to a privacy policy. Whether it’s a coincidence they did so around the time The Independent ran a story on the issue is difficult to say.